BTCPay Server v1.7.4 – HTML Injection

Exploit Database
90 阅读

作者： Manojkumar J

日期： 2023-04-05
类别：
- webapps
平台：
- multiple
来源：https://www.exploit-db.com/exploits/51254/

# Exploit Title: BTCPay Server v1.7.4 - HTML Injection
# Date: 01/26/2023
# Exploit Author: Manojkumar J (TheWhiteEvil)
# Vendor Homepage: https://github.com/btcpayserver/btcpayserver
# Software Link:
https://github.com/btcpayserver/btcpayserver/releases/tag/v1.7.5
# Version: <=1.7.4
# Tested on: Windows10
# CVE : CVE-2023-0493

# Description:

BTCPay Server v1.7.4 HTML injection vulnerability.

# Steps to exploit:

1. Create an account on the target website.

Register endpoint: https://target-website.com/register#

2. Move on to the API key and create API key with the html injection in the
label field.

Example:

<a href="https://hackerbro.in">clickhere</a>


3. Click remove/delete API key, the html injection will render.

last Exploits
BTCPay Server v1.7.4 – HTML Injection的更多信息

EasyService Billing 1.0 – ‘q’ SQL Injection：
Sitemagic CMS – ‘SMTpl’ Directory Traversal：
Joomla! Component DJ-ArtGallery 0.9.1 – Multiple Vulnerabilities：
Media Search Engine Script – ‘search’ SQL Injection：
OOP CMS BLOG 1.0 – ‘search’ SQL Injection：
aaPanel 6.6.6 – Privilege Escalation & Remote Code Execution (Authenticated)：
Profiling System for Human Resource Management 1.0 – Remote Code Execution (Unauthenticated)：
Datetopia Match Agency BiZ – Multiple Cross-Site Scripting Vulnerabilities：